Last post Jan 22, 2018 07:35 AM by Brando ZWZ
Jan 19, 2018 01:52 PM|PRam79|LINK
I currently have an application that displays a Telerik Grid on the page. I am using AntiXss to encode all fields with this convention (Text='<%# HtmlEncode(Eval("txtDescription"), False) %>'). I am using .net framework 4.61. A scan using Acunetix shows
there is an Expression Language Injection. All of my findings point to Java and the Spring EL interpreter. Is there is any safe guards i can implement in order to prevent this attack?
Jan 22, 2018 07:35 AM|Brando ZWZ|LINK
As far as I know, the Expression Language Injection is related with EL in java.
The Remediation of the Expression Language Injection.
Whenever possible, applications should avoid incorporating user-controllable data into dynamically evaluated code. In almost every situation, there are safer alternative methods of implementing application functions, which cannot
be manipulated to inject arbitrary code into the server's processing.
If it is considered unavoidable to incorporate user-supplied data into dynamically evaluated code, then the data should be strictly validated. Ideally, a whitelist of specific accepted values should be used. Otherwise, only short
alphanumeric strings should be accepted. Input containing any other data, including any conceivable code metacharacters, should be rejected.
I suggest you could try to avoid incorporating user-controllable data into dynamically evaluated code not using Text='<%# HtmlEncode(Eval("txtDescription"), False) %. bind all the text value in the code-behind instead of using
Text='<%# HtmlEncode(Eval("txtDescription"), False) %